This tutorial will walk you through adding and managing accounts and users.
Before you start this tutorial, some things to understand:
- Pro or Enterprise edition is required
- This tutorial is for managing users who are on our newer user model (true of almost all New Relic users)
- This tutorial will be easier if you first have a basic understanding of:
- This presents one recommended workflow but no particular order of steps is required.
- For an example spreadsheet showing how an organization might plan out their users' access, see the group access planning spreadsheet.
This tutorial will walk you through:
- Organization creation
- How to add accounts
- How to set up an authentication domain
- How to set up custom roles
- How to manage group access
- How to add users
When you sign up for New Relic, your New Relic organization is created. The organization structure represents a New Relic customer: it's what contains everything relevant to a customer's use of New Relic: their accounts, their users, and their data.
When a New Relic organization is created, it contains a single account. Pro and Enterprise edition organizations can add more accounts.
When your organization is created, it has two default user groups, which have roles and accounts already assigned. When you add users via the UI, there are two default groups you can assign users to:
- Admin: can use and configure observability features for that initial account, and the ability to view and configure organization-wide administration settings (like adding accounts, managing authentication settings, and adding/removing users).
- User: can use and configure observability features (but lacks access to the admin abilities that the Admin group has).
You can see the access assigned for these default groups by going to the Access management UI:
You can see how the User group has the All product admin role and access to that initially created account. And you can see how the Admin group has some administration settings assigned. The
Default next to those group names refers to them being in the original, default authentication domain.
If you want to create admins who can only add and remove users, and who don't have the more powerful organization-wide admin capabilities that the Admin group has, you can use the Group admin role.
Before adding your users in New Relic, you might want to get some data reporting and set up additional accounts.
For reasons why you might want to create more accounts, see Organization structure.
For how to add accounts, see Add accounts.
When your organization is first created, the groups and users are located in a default authentication domain, named
Default. An authentication domain is a grouping of New Relic users governed by the same user management settings, like how they're provisioned (added and updated), how they authenticate (log in), session settings, and how user upgrades are handled.
The default authentication domain settings are:
- Users are manually added and managed via the New Relic UI
- Users manually log in to New Relic using their email and password
Having that single domain will be fine for many organizations, but some larger organizations want one or both of the following:
- Single sign-on (SAML SSO)
- Managing their users from their identity provider via SCIM provisioning
If you need single sign-on or SCIM provisioning, you'll have to create an additional authentication domain. Note that groups and users are contained within authentication domains, and you can't easily change an authentication domain's provisioning setting or authentication setting once the domain is created: this means you should spend some time thinking about what your authentication domain settings should be before you add users to them.
If you want to use SAML SSO or SCIM provisioning, see these options:
We have several default-available roles, which we call standard roles. Some of these are assigned to the Admin and User groups that are available by default.
If you have Pro or Enterprise edition, you can create your own custom roles. Creating custom roles is optional. If you don't have a need for custom roles, you can skip this section.
Some tips to help you understand what roles are:
- Users are assigned to groups (for example, the default Admin and User groups), and those groups are assigned various roles and accounts. Put another way: it's not the group that gives users access to New Relic permissions: it's the roles.
- A role contains various permissions. For example: the permission to create and modify alert conditions, or the permission to delete data ingest license keys (for more information, see Permissions).
- Unlike groups and users, roles are not contained in an authentication domain: they're available across the entire organization.
To view existing roles: from the user menu, click Administration, then click Access management, and then click Roles.
To create a custom role, click Add new custom role. Review the list of available permissions and decide which ones your custom role needs.
Here's a short video showing how to create a custom role (4:07 minutes):
Groups are used to group your users and manage what your users are able to do in New Relic. You assign groups one or more roles on one or more accounts.
To set up groups optimally, you'll need to think about what groups you'll need, what roles those groups should have, and what account access those groups should have.
If you have a relatively flat organizational structure, and are okay with all or many of your users having wide administrative access and access to all accounts, you'll probably only need at most a few extra group configurations. For example, you might decide to add more accounts to the existing default Admin or User groups. Or, if you need more granular definition over roles and permissions, you'd create new groups with access to specific roles (either our standard roles or custom-defined roles).
For an example user access planning spreadsheet, see our group access planning spreadsheet.
To view existing groups: from the user menu, click Administration, and then click Access management. Under the Groups tab, you'll see the existing groups and what access they've been assigned.
You can manage groups via either the UI or via API:
Due to how we bill per calendar month, there are reasons you may want to wait until the beginning of a month to add users. For more on that, see User billing.
If you're using SCIM provisioning, you should be done at this point because your groups and users are imported from your identity provider. You can move to the verification step.
Otherwise, you'll need to add users. In the user management UI, you can see your users and the groups they've been assigned to.
Suggested steps for adding users via the UI:
- To view users and see their groups: from the user menu, click Administration, and click User management.
- Optional: select your authentication domain using the domain switcher. (Remember that groups reside within the boundaries of an authentication domain).
- To add a user, click Add user. Complete the prompts in the UI, including choosing the user type and group. Any custom groups you've added are available from the group dropdown. If the custom group you choose has a role and account assigned, once you add the user to that group, that user will have access.
To edit a user's group or other details: click on the user you want to edit and make changes. For tips on bulk editing and other common tasks, see Common user management tasks.
You can also use our NerdGraph API to add and manage users
Ideas for checking that your users are configured correctly:
- Go to the User management UI and Access management UI and see if the groups and grants assignments look correct and make sense.
- Have some of your users see if they can log in and access the accounts they expect to see.
Ideas for next steps:
- Set up more New Relic integrations
- Add more users